mailing list archives
Re: [PEN-TEST] NAT / Stateful Packet Inspection Questions
From: "Loschiavo, Dave" <DLoschiavo () FRCC CC CA US>
Date: Fri, 29 Sep 2000 07:30:59 -0700
How's this for an attack scenario...
Since the firewall is not blocking any outbound traffic (bad move) I would
make an effort to acquire the email addresses of internal users. That
shouldn't be too hard to do if they do business with anyone. Once I had that
I would send HTML email to those addresses and try to exploit this 'feature'
of Windows: http://www.oamk.fi/~jukkao/bugtraq/0003/0171.html. I would then
crack the passwords for the accounts that viewed the email and try to logon
to listening services using those accounts and passwords.
1. I am able to find a valid email address.
2. HTML mail is not cleaned before it reaches the user.
3. The email client does HTML mail.
4. The email client is residing on a MS OS.
5. The users who read the email have authenticated to an NT domain.
6. The users who read the email have the ability to log on to the listening
services I am trying to access via open firewall ports.
Any comments regarding this method of attack would be greatly appreciated. I
am new to the process of penetration testing.
From: Leon Rosenstein
To: PEN-TEST () SECURITYFOCUS COM
Sent: 9/27/00 8:27 AM
Subject: [PEN-TEST] NAT / Stateful Packet Inspection Questions
Hi everyone. This is the first time I am posting to this list so please
don't flame me if the question sounds insane or is out-of-line. If you
forced to flame me at least have enough respect do it in private. I am
curious and seeking knowledge.
I would like to set up a scenario and see what the group thinks.
I was trying to help my friend audit his network through a penetration
I found the firewall impenetrable (at least by me, which does not really
that much) (insert joke about newbies here).
The network has no remote access points (it does not have a VPN or any
Dial-Up Servers). It has only a sever, router, & firewall.
The firewall is doing both NAT and Stateful Packet Inspection (SPI from
on in). There are no rules with the exception of the default (anything
going out can go out but nothing can come in unless the firewall has
or is aware of the potential incoming connection). If the connection
back in on a different port then the firewall expects (assumes) it will
Is there anyway to circumvent this firewall (or any firewalls that
NAT and SPI as there primary defense mechanisms?) Is there anyway to
direct access to the server? I have port scanned the router and found
listening ports and remote administration software but I am curious as
how one could circumvent the firewall (if this is done through hijacking
router I would be curious about that also).
I know very talented people in the industry read this list so any help
be much appreciated.
Oh and please feel free to respond on list or off.
Thanks in advance